1WIRESHARK(1) WIRESHARK(1)
2
3
4
6 wireshark - Interactively dump and analyze network traffic
7
9 wireshark [ -i <capture interface>|- ] [ -f <capture filter> ]
10 [ -Y <display filter> ] [ -w <outfile> ] [ options ] [ <infile> ]
11
13 Wireshark is a GUI network protocol analyzer. It lets you interactively
14 browse packet data from a live network or from a previously saved
15 capture file. Wireshark's native capture file formats are pcapng format
16 and pcap format; it can read and write both formats.. pcap format is
17 also the format used by tcpdump and various other tools; tcpdump, when
18 using newer verions of the libpcap library, can also read some pcapng
19 files, and, on newer versions of macOS, can read all pcapng files and
20 can write them as well.
21
22 Wireshark can also read / import the following file formats:
23
24 • Oracle (previously Sun) snoop and atmsnoop captures
25
26 • Finisar (previously Shomiti) Surveyor captures
27
28 • Microsoft Network Monitor captures
29
30 • Novell LANalyzer captures
31
32 • AIX’s iptrace captures
33
34 • Cinco Networks NetXRay captures
35
36 • NETSCOUT (previously Network Associates/Network General)
37 Windows-based Sniffer captures
38
39 • Network General/Network Associates DOS-based Sniffer captures
40 (compressed or uncompressed)
41
42 • LiveAction (previously WildPackets/Savvius)
43 *Peek/EtherHelp/PacketGrabber captures
44
45 • RADCOM's WAN/LAN analyzer captures
46
47 • Viavi (previously Network Instruments) Observer captures
48
49 • Lucent/Ascend router debug output
50
51 • captures from HP-UX nettl
52
53 • Toshiba’s ISDN routers dump output
54
55 • the output from i4btrace from the ISDN4BSD project
56
57 • traces from the EyeSDN USB S0
58
59 • the IPLog format output from the Cisco Secure Intrusion Detection
60 System
61
62 • pppd logs (pppdump format)
63
64 • the output from VMS’s TCPIPtrace/TCPtrace/UCX$TRACE utilities
65
66 • the text output from the DBS Etherwatch VMS utility
67
68 • Visual Networks' Visual UpTime traffic capture
69
70 • the output from CoSine L2 debug
71
72 • the output from InfoVista (previously Accellent) 5View LAN agents
73
74 • Endace Measurement Systems' ERF format captures
75
76 • Linux Bluez Bluetooth stack hcidump -w traces
77
78 • Catapult DCT2000 .out files
79
80 • Gammu generated text output from Nokia DCT3 phones in Netmonitor
81 mode
82
83 • IBM Series (OS/400) Comm traces (ASCII & UNICODE)
84
85 • Juniper Netscreen snoop files
86
87 • Symbian OS btsnoop files
88
89 • TamoSoft CommView files
90
91 • Tektronix K12xx 32bit .rf5 format files
92
93 • Tektronix K12 text file format captures
94
95 • Apple PacketLogger files
96
97 • Captures from Aethra Telecommunications' PC108 software for their
98 test instruments
99
100 • Citrix NetScaler Trace files
101
102 • Android Logcat binary and text format logs
103
104 • Colasoft Capsa and PacketBuilder captures
105
106 • Micropross mplog files
107
108 • Unigraf DPA-400 DisplayPort AUX channel monitor traces
109
110 • 802.15.4 traces from Daintree’s Sensor Network Analyzer
111
112 • MPEG-2 Transport Streams as defined in ISO/IEC 13818-1
113
114 • Log files from the candump utility
115
116 • Logs from the BUSMASTER tool
117
118 • Ixia IxVeriWave raw captures
119
120 • Rabbit Labs CAM Inspector files
121
122 • systemd journal files
123
124 • 3GPP TS 32.423 trace files
125
126 There is no need to tell Wireshark what type of file you are reading;
127 it will determine the file type by itself. Wireshark is also capable of
128 reading any of these file formats if they are compressed using gzip.
129 Wireshark recognizes this directly from the file; the '.gz' extension
130 is not required for this purpose.
131
132 Like other protocol analyzers, Wireshark's main window shows 3 views of
133 a packet. It shows a summary line, briefly describing what the packet
134 is. A packet details display is shown, allowing you to drill down to
135 exact protocol or field that you interested in. Finally, a hex dump
136 shows you exactly what the packet looks like when it goes over the
137 wire.
138
139 In addition, Wireshark has some features that make it unique. It can
140 assemble all the packets in a TCP conversation and show you the ASCII
141 (or EBCDIC, or hex) data in that conversation. Display filters in
142 Wireshark are very powerful; more fields are filterable in Wireshark
143 than in other protocol analyzers, and the syntax you can use to create
144 your filters is richer. As Wireshark progresses, expect more and more
145 protocol fields to be allowed in display filters.
146
147 Packet capturing is performed with the pcap library. The capture filter
148 syntax follows the rules of the pcap library. This syntax is different
149 from the display filter syntax.
150
151 Compressed file support uses (and therefore requires) the zlib library.
152 If the zlib library is not present, Wireshark will compile, but will be
153 unable to read compressed files.
154
155 The pathname of a capture file to be read can be specified with the -r
156 option or can be specified as a command-line argument.
157
159 Most users will want to start Wireshark without options and configure
160 it from the menus instead. Those users may just skip this section.
161
162 -a|--autostop <capture autostop condition>
163
164 Specify a criterion that specifies when Wireshark is to stop
165 writing to a capture file. The criterion is of the form test:value,
166 where test is one of:
167
168 duration:value Stop writing to a capture file after value seconds
169 have elapsed. Floating point values (e.g. 0.5) are allowed.
170
171 files:value Stop writing to capture files after value number of
172 files were written.
173
174 filesize:value Stop writing to a capture file after it reaches a
175 size of value kB. If this option is used together with the -b
176 option, Wireshark will stop writing to the current capture file and
177 switch to the next one if filesize is reached. Note that the
178 filesize is limited to a maximum value of 2 GiB.
179
180 packets:value Stop writing to a capture file after it contains
181 value packets. Acts the same as -c<capture packet count>.
182
183 -b|--ring-buffer <capture ring buffer option>
184
185 Cause Wireshark to run in "multiple files" mode. In "multiple
186 files" mode, Wireshark will write to several capture files. When
187 the first capture file fills up, Wireshark will switch writing to
188 the next file and so on.
189
190 The created filenames are based on the filename given with the -w
191 flag, the number of the file and on the creation date and time,
192 e.g. outfile_00001_20230714120117.pcap,
193 outfile_00002_20230714120523.pcap, ...
194
195 With the files option it’s also possible to form a "ring buffer".
196 This will fill up new files until the number of files specified, at
197 which point Wireshark will discard the data in the first file and
198 start writing to that file and so on. If the files option is not
199 set, new files filled up until one of the capture stop conditions
200 match (or until the disk is full).
201
202 The criterion is of the form key:value, where key is one of:
203
204 duration:value switch to the next file after value seconds have
205 elapsed, even if the current file is not completely filled up.
206 Floating point values (e.g. 0.5) are allowed.
207
208 files:value begin again with the first file after value number of
209 files were written (form a ring buffer). This value must be less
210 than 100000. Caution should be used when using large numbers of
211 files: some filesystems do not handle many files in a single
212 directory well. The files criterion requires one of the other
213 criteria to be specified to control when to go to the next file. It
214 should be noted that each -b parameter takes exactly one criterion;
215 to specify two criteria, each must be preceded by the -b option.
216
217 filesize:value switch to the next file after it reaches a size of
218 value kB. Note that the filesize is limited to a maximum value of 2
219 GiB.
220
221 interval:value switch to the next file when the time is an exact
222 multiple of value seconds.
223
224 packets:value switch to the next file after it contains value
225 packets.
226
227 Example: -b filesize:1000 -b files:5 results in a ring buffer of
228 five files of size one megabyte each.
229
230 -B|--buffer-size <capture buffer size>
231
232 Set capture buffer size (in MiB, default is 2 MiB). This is used by
233 the capture driver to buffer packet data until that data can be
234 written to disk. If you encounter packet drops while capturing, try
235 to increase this size. Note that, while Wireshark attempts to set
236 the buffer size to 2 MiB by default, and can be told to set it to a
237 larger value, the system or interface on which you’re capturing
238 might silently limit the capture buffer size to a lower value or
239 raise it to a higher value.
240
241 This is available on UNIX systems with libpcap 1.0.0 or later and
242 on Windows. It is not available on UNIX systems with earlier
243 versions of libpcap.
244
245 This option can occur multiple times. If used before the first
246 occurrence of the -i option, it sets the default capture buffer
247 size. If used after an -i option, it sets the capture buffer size
248 for the interface specified by the last -i option occurring before
249 this option. If the capture buffer size is not set specifically,
250 the default capture buffer size is used instead.
251
252 -c <capture packet count>
253
254 Set the maximum number of packets to read when capturing live data.
255 Acts the same as -a packets:<capture packet count>.
256
257 -C <configuration profile>
258
259 Start with the given configuration profile.
260
261 --capture-comment <comment>
262
263 When performing a capture file from the command line, with the -k
264 flag, add a capture comment to the output file, if supported by the
265 capture format.
266
267 This option may be specified multiple times. Note that Wireshark
268 currently only displays the first comment of a capture file.
269
270 -d <layer type>==<selector>,<decode-as protocol>
271
272 Like Wireshark’s Decode As... feature, this lets you specify how a
273 layer type should be dissected. If the layer type in question (for
274 example, tcp.port or udp.port for a TCP or UDP port number) has the
275 specified selector value, packets should be dissected as the
276 specified protocol.
277
278 Example: -d tcp.port==8888,http will decode any traffic running
279 over TCP port 8888 as HTTP.
280
281 See the tshark(1) manual page for more examples.
282
283 -D|--list-interfaces
284
285 Print a list of the interfaces on which Wireshark can capture, and
286 exit. For each network interface, a number and an interface name,
287 possibly followed by a text description of the interface, is
288 printed. The interface name or the number can be supplied to the -i
289 flag to specify an interface on which to capture.
290
291 This can be useful on systems that don’t have a command to list
292 them (UNIX systems lacking ifconfig -a or Linux systems lacking ip
293 link show). The number can be useful on Windows systems, where the
294 interface name might be a long name or a GUID.
295
296 Note that "can capture" means that Wireshark was able to open that
297 device to do a live capture; if, on your system, a program doing a
298 network capture must be run from an account with special privileges
299 (for example, as root), then, if Wireshark is run with the -D flag
300 and is not run from such an account, it will not list any
301 interfaces.
302
303 --display <X display to use>
304
305 Specifies the X display to use. A hostname and screen
306 (otherhost:0.0) or just a screen (:0.0) can be specified. This
307 option is not available under Windows.
308
309 --disable-protocol <proto_name>
310
311 Disable dissection of proto_name.
312
313 --disable-heuristic <short_name>
314
315 Disable dissection of heuristic protocol.
316
317 --enable-protocol <proto_name>
318
319 Enable dissection of proto_name.
320
321 --enable-heuristic <short_name>
322
323 Enable dissection of heuristic protocol.
324
325 -f <capture filter>
326
327 Set the capture filter expression.
328
329 This option can occur multiple times. If used before the first
330 occurrence of the -i option, it sets the default capture filter
331 expression. If used after an -i option, it sets the capture filter
332 expression for the interface specified by the last -i option
333 occurring before this option. If the capture filter expression is
334 not set specifically, the default capture filter expression is used
335 if provided.
336
337 Pre-defined capture filter names, as shown in the GUI menu item
338 Capture→Capture Filters, can be used by prefixing the argument with
339 "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter"
340
341 --fullscreen
342
343 Start Wireshark in full screen mode (kiosk mode). To exit from
344 fullscreen mode, open the View menu and select the Full Screen
345 option. Alternatively, press the F11 key (or Ctrl + Cmd + F for
346 macOS).
347
348 -g <packet number>
349
350 After reading in a capture file using the -r flag, go to the given
351 packet number.
352
353 -h|--help
354
355 Print the version number and options and exit.
356
357 -H
358
359 Hide the capture info dialog during live packet capture.
360
361 -i|--interface <capture interface>|-
362
363 Set the name of the network interface or pipe to use for live
364 packet capture.
365
366 Network interface names should match one of the names listed in
367 "wireshark -D" (described above); a number, as reported by
368 "wireshark -D", can also be used. If you’re using UNIX, "netstat
369 -i", "ifconfig -a" or "ip link" might also work to list interface
370 names, although not all versions of UNIX support the -a option to
371 ifconfig.
372
373 If no interface is specified, Wireshark searches the list of
374 interfaces, choosing the first non-loopback interface if there are
375 any non-loopback interfaces, and choosing the first loopback
376 interface if there are no non-loopback interfaces. If there are no
377 interfaces at all, Wireshark reports an error and doesn’t start the
378 capture.
379
380 Pipe names should be either the name of a FIFO (named pipe) or "-"
381 to read data from the standard input. On Windows systems, pipe
382 names must be of the form "\\.\pipe\pipename". Data read from pipes
383 must be in standard pcapng or pcap format. Pcapng data must have
384 the same endianness as the capturing host.
385
386 "TCP@<host>:<port>" causes Wireshark to attempt to connect to the
387 specified port on the specified host and read pcapng or pcap data.
388
389 This option can occur multiple times. When capturing from multiple
390 interfaces, the capture file will be saved in pcapng format.
391
392 -I|--monitor-mode
393
394 Put the interface in "monitor mode"; this is supported only on IEEE
395 802.11 Wi-Fi interfaces, and supported only on some operating
396 systems.
397
398 Note that in monitor mode the adapter might disassociate from the
399 network with which it’s associated, so that you will not be able to
400 use any wireless networks with that adapter. This could prevent
401 accessing files on a network server, or resolving host names or
402 network addresses, if you are capturing in monitor mode and are not
403 connected to another network with another adapter.
404
405 This option can occur multiple times. If used before the first
406 occurrence of the -i option, it enables the monitor mode for all
407 interfaces. If used after an -i option, it enables the monitor mode
408 for the interface specified by the last -i option occurring before
409 this option.
410
411 -j
412
413 Use after -J to change the behavior when no exact match is found
414 for the filter. With this option select the first packet before.
415
416 -J <jump filter>
417
418 After reading in a capture file using the -r flag, jump to the
419 packet matching the filter (display filter syntax). If no exact
420 match is found the first packet after that is selected.
421
422 -k
423
424 Start the capture session immediately. If the -i flag was
425 specified, the capture uses the specified interface. Otherwise,
426 Wireshark searches the list of interfaces, choosing the first
427 non-loopback interface if there are any non-loopback interfaces,
428 and choosing the first loopback interface if there are no
429 non-loopback interfaces; if there are no interfaces, Wireshark
430 reports an error and doesn’t start the capture.
431
432 -K <keytab>
433
434 Load kerberos crypto keys from the specified keytab file. This
435 option can be used multiple times to load keys from several files.
436
437 Example: -K krb5.keytab
438
439 -l
440
441 Turn on automatic scrolling if the packet display is being updated
442 automatically as packets arrive during a capture (as specified by
443 the -S flag).
444
445 -L|--list-data-link-types
446
447 List the data link types supported by the interface and exit.
448
449 --list-time-stamp-types
450
451 List time stamp types supported for the interface. If no time stamp
452 type can be set, no time stamp types are listed.
453
454 -n
455
456 Disable network object name resolution (such as hostname, TCP and
457 UDP port names), the -N flag might override this one.
458
459 -N <name resolving flags>
460
461 Turn on name resolving only for particular types of addresses and
462 port numbers, with name resolving for other types of addresses and
463 port numbers turned off. This flag overrides -n if both -N and -n
464 are present. If both -N and -n flags are not present, all name
465 resolutions are turned on.
466
467 The argument is a string that may contain the letters:
468
469 m to enable MAC address resolution
470
471 n to enable network address resolution
472
473 N to enable using external resolvers (e.g., DNS) for network
474 address resolution
475
476 t to enable transport-layer port number resolution
477
478 d to enable resolution from captured DNS packets
479
480 v to enable VLAN IDs to names resolution
481
482 -o <preference/recent setting>
483
484 Set a preference or recent value, overriding the default value and
485 any value read from a preference/recent file. The argument to the
486 flag is a string of the form prefname:value, where prefname is the
487 name of the preference/recent value (which is the same name that
488 would appear in the preference/recent file), and value is the value
489 to which it should be set. Since Ethereal 0.10.12, the recent
490 settings replaces the formerly used -B, -P and -T flags to
491 manipulate the GUI dimensions.
492
493 If prefname is "uat", you can override settings in various user
494 access tables using the form "uat:uat filename:uat record". uat
495 filename must be the name of a UAT file, e.g. user_dlts. uat_record
496 must be in the form of a valid record for that file, including
497 quotes. For instance, to specify a user DLT from the command line,
498 you would use
499
500 -o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""
501
502 -p|--no-promiscuous-mode
503
504 Don’t put the interface into promiscuous mode. Note that the
505 interface might be in promiscuous mode for some other reason;
506 hence, -p cannot be used to ensure that the only traffic that is
507 captured is traffic sent to or from the machine on which Wireshark
508 is running, broadcast traffic, and multicast traffic to addresses
509 received by that machine.
510
511 This option can occur multiple times. If used before the first
512 occurrence of the -i option, no interface will be put into the
513 promiscuous mode. If used after an -i option, the interface
514 specified by the last -i option occurring before this option will
515 not be put into the promiscuous mode.
516
517 -P <path setting>
518
519 Special path settings usually detected automatically. This is used
520 for special cases, e.g. starting Wireshark from a known location on
521 an USB stick.
522
523 The criterion is of the form key:path, where key is one of:
524
525 persconf:path path of personal configuration files, like the
526 preferences files.
527
528 persdata:path path of personal data files, it’s the folder
529 initially opened. After the very first initialization, the recent
530 file will keep the folder last used.
531
532 -r|--read-file <infile>
533
534 Read packet data from infile, can be any supported capture file
535 format (including gzipped files). It’s not possible to use named
536 pipes or stdin here! To capture from a pipe or from stdin use -i -
537
538 -R|--read-filter <read (display) filter>
539
540 When reading a capture file specified with the -r flag, causes the
541 specified filter (which uses the syntax of display filters, rather
542 than that of capture filters) to be applied to all packets read
543 from the capture file; packets not matching the filter are
544 discarded.
545
546 -s|--snapshot-length <capture snaplen>
547
548 Set the default snapshot length to use when capturing live data. No
549 more than snaplen bytes of each network packet will be read into
550 memory, or saved to disk. A value of 0 specifies a snapshot length
551 of 262144, so that the full packet is captured; this is the
552 default.
553
554 This option can occur multiple times. If used before the first
555 occurrence of the -i option, it sets the default snapshot length.
556 If used after an -i option, it sets the snapshot length for the
557 interface specified by the last -i option occurring before this
558 option. If the snapshot length is not set specifically, the default
559 snapshot length is used if provided.
560
561 -S
562
563 Automatically update the packet display as packets are coming in.
564
565 -t a|ad|adoy|d|dd|e|r|u|ud|udoy
566
567 Set the format of the packet timestamp displayed in the packet list
568 window. The format can be one of:
569
570 a absolute: The absolute time, as local time in your time zone, is
571 the actual time the packet was captured, with no date displayed
572
573 ad absolute with date: The absolute date, displayed as YYYY-MM-DD,
574 and time, as local time in your time zone, is the actual time and
575 date the packet was captured
576
577 adoy absolute with date using day of year: The absolute date,
578 displayed as YYYY/DOY, and time, as local time in your time zone,
579 is the actual time and date the packet was captured
580
581 d delta: The delta time is the time since the previous packet was
582 captured
583
584 dd delta_displayed: The delta_displayed time is the time since the
585 previous displayed packet was captured
586
587 e epoch: The time in seconds since epoch (Jan 1, 1970 00:00:00)
588
589 r relative: The relative time is the time elapsed between the first
590 packet and the current packet
591
592 u UTC: The absolute time, as UTC, is the actual time the packet was
593 captured, with no date displayed
594
595 ud UTC with date: The absolute date, displayed as YYYY-MM-DD, and
596 time, as UTC, is the actual time and date the packet was captured
597
598 udoy UTC with date using day of year: The absolute date, displayed
599 as YYYY/DOY, and time, as UTC, is the actual time and date the
600 packet was captured
601
602 The default format is relative.
603
604 --temp-dir <directory>
605
606 Specifies the directory into which temporary files (including
607 capture files) are to be written. The default behaviour is to use
608 your system’s temporary directory (typically /tmp on Linux, and
609 C:\\Temp on Windows).
610
611 --time-stamp-type <type>
612
613 Change the interface’s timestamp method. See
614 --list-time-stamp-types.
615
616 -u <s|hms>
617
618 Output format of seconds (def: s: seconds)
619
620 -v|--version
621
622 Print the full version information and exit.
623
624 -w <outfile>
625
626 Set the default capture file name, or '-' for standard output.
627
628 -X <eXtension options>
629
630 Specify an option to be passed to an Wireshark module. The
631 eXtension option is in the form extension_key:value, where
632 extension_key can be:
633
634 lua_script:lua_script_filename tells Wireshark to load the given
635 script in addition to the default Lua scripts.
636
637 lua_scriptnum:argument tells Wireshark to pass the given argument
638 to the lua script identified by 'num', which is the number indexed
639 order of the 'lua_script' command. For example, if only one script
640 was loaded with '-X lua_script:my.lua', then '-X lua_script1:foo'
641 will pass the string 'foo' to the 'my.lua' script. If two scripts
642 were loaded, such as '-X lua_script:my.lua' and '-X
643 lua_script:other.lua' in that order, then a '-X lua_script2:bar'
644 would pass the string 'bar' to the second lua script, namely
645 'other.lua'.
646
647 read_format:file_format tells Wireshark to use the given file
648 format to read in the file (the file given in the -r command
649 option).
650
651 stdin_descr:description tells Wireshark to use the given
652 description when capturing from standard input (-i -).
653
654 -y|--linktype <capture link type>
655
656 If a capture is started from the command line with -k, set the data
657 link type to use while capturing packets. The values reported by -L
658 are the values that can be used.
659
660 This option can occur multiple times. If used before the first
661 occurrence of the -i option, it sets the default capture link type.
662 If used after an -i option, it sets the capture link type for the
663 interface specified by the last -i option occurring before this
664 option. If the capture link type is not set specifically, the
665 default capture link type is used if provided.
666
667 -Y|--display-filter <displaY filter>
668
669 Start with the given display filter.
670
671 -z <statistics>
672
673 Get Wireshark to collect various types of statistics and display
674 the result in a window that updates in semi-real time.
675
676 Some of the currently implemented statistics are:
677
678 -z help
679
680 Display all possible values for -z.
681
682 -z afp,srt[,filter]
683
684 Show Apple Filing Protocol service response time statistics.
685
686 -z conv,type[,filter]
687
688 Create a table that lists all conversations that could be seen in
689 the capture. type specifies the conversation endpoint types for
690 which we want to generate the statistics; currently the supported
691 ones are:
692
693 "eth" Ethernet addresses
694 "fc" Fibre Channel addresses
695 "fddi" FDDI addresses
696 "ip" IPv4 addresses
697 "ipv6" IPv6 addresses
698 "ipx" IPX addresses
699 "tcp" TCP/IP socket pairs Both IPv4 and IPv6 are supported
700 "tr" Token Ring addresses
701 "udp" UDP/IP socket pairs Both IPv4 and IPv6 are supported
702
703 If the optional filter is specified, only those packets that match
704 the filter will be used in the calculations.
705
706 The table is presented with one line for each conversation and
707 displays the number of packets/bytes in each direction as well as
708 the total number of packets/bytes. By default, the table is sorted
709 according to the total number of packets.
710
711 These tables can also be generated at runtime by selecting the
712 appropriate conversation type from the menu
713 "Tools/Statistics/Conversation List/".
714
715 -z dcerpc,srt,name-or-uuid,major.minor[,filter]
716
717 Collect call/reply SRT (Service Response Time) data for DCERPC
718 interface name or uuid, version major.minor. Data collected is the
719 number of calls for each procedure, MinSRT, MaxSRT and AvgSRT.
720 Interface name and uuid are case-insensitive.
721
722 Example: -z dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0
723 will collect data for the CIFS SAMR Interface.
724
725 This option can be used multiple times on the command line.
726
727 If the optional filter is provided, the stats will only be
728 calculated on those calls that match that filter.
729
730 Example: -z
731 dcerpc,srt,12345778-1234-abcd-ef00-0123456789ac,1.0,ip.addr==1.2.3.4
732 will collect SAMR SRT statistics for a specific host.
733
734 -z dhcp,stat[,filter]
735
736 Show DHCP (BOOTP) statistics.
737
738 -z expert
739
740 Show expert information.
741
742 -z fc,srt[,filter]
743
744 Collect call/reply SRT (Service Response Time) data for FC. Data
745 collected is the number of calls for each Fibre Channel command,
746 MinSRT, MaxSRT and AvgSRT.
747
748 Example: -z fc,srt will calculate the Service Response Time as the
749 time delta between the First packet of the exchange and the Last
750 packet of the exchange.
751
752 The data will be presented as separate tables for all normal FC
753 commands, Only those commands that are seen in the capture will
754 have its stats displayed.
755
756 This option can be used multiple times on the command line.
757
758 If the optional filter is provided, the stats will only be
759 calculated on those calls that match that filter.
760
761 Example: -z "fc,srt,fc.id==01.02.03" will collect stats only for FC
762 packets exchanged by the host at FC address 01.02.03 .
763
764 -z h225,counter[,filter]
765
766 Count ITU-T H.225 messages and their reasons. In the first column
767 you get a list of H.225 messages and H.225 message reasons which
768 occur in the current capture file. The number of occurrences of
769 each message or reason is displayed in the second column.
770
771 Example: -z h225,counter
772
773 This option can be used multiple times on the command line.
774
775 If the optional filter is provided, the stats will only be
776 calculated on those calls that match that filter.
777
778 Example: -z "h225,counter,ip.addr==1.2.3.4" will collect stats only
779 for H.225 packets exchanged by the host at IP address 1.2.3.4 .
780
781 -z h225,srt[,filter]
782
783 Collect request/response SRT (Service Response Time) data for ITU-T
784 H.225 RAS. Data collected is the number of calls of each ITU-T
785 H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average SRT,
786 Minimum in Packet, and Maximum in Packet. You will also get the
787 number of Open Requests (Unresponded Requests), Discarded Responses
788 (Responses without matching request) and Duplicate Messages.
789
790 Example: -z h225,srt
791
792 This option can be used multiple times on the command line.
793
794 If the optional filter is provided, the stats will only be
795 calculated on those calls that match that filter.
796
797 Example: -z "h225,srt,ip.addr==1.2.3.4" will collect stats only for
798 ITU-T H.225 RAS packets exchanged by the host at IP address 1.2.3.4
799 .
800
801 -z io,stat
802
803 Collect packet/bytes statistics for the capture in intervals of 1
804 second. This option will open a window with up to 5 color-coded
805 graphs where number-of-packets-per-second or
806 number-of-bytes-per-second statistics can be calculated and
807 displayed.
808
809 This option can be used multiple times on the command line.
810
811 This graph window can also be opened from the
812 Analyze:Statistics:Traffic:IO-Stat menu item.
813
814 -z ldap,srt[,filter]
815
816 Collect call/reply SRT (Service Response Time) data for LDAP. Data
817 collected is the number of calls for each implemented LDAP command,
818 MinSRT, MaxSRT and AvgSRT.
819
820 Example: -z ldap,srt will calculate the Service Response Time as
821 the time delta between the Request and the Response.
822
823 The data will be presented as separate tables for all implemented
824 LDAP commands, Only those commands that are seen in the capture
825 will have its stats displayed.
826
827 This option can be used multiple times on the command line.
828
829 If the optional filter is provided, the stats will only be
830 calculated on those calls that match that filter.
831
832 Example: use -z "ldap,srt,ip.addr==10.1.1.1" will collect stats
833 only for LDAP packets exchanged by the host at IP address 10.1.1.1
834 .
835
836 The only LDAP commands that are currently implemented and for which
837 the stats will be available are: BIND SEARCH MODIFY ADD DELETE
838 MODRDN COMPARE EXTENDED
839
840 -z megaco,srt[,filter]
841
842 Collect request/response SRT (Service Response Time) data for
843 MEGACO. (This is similar to -z smb,srt). Data collected is the
844 number of calls for each known MEGACO Command, Minimum SRT, Maximum
845 SRT and Average SRT.
846
847 Example: -z megaco,srt
848
849 This option can be used multiple times on the command line.
850
851 If the optional filter is provided, the stats will only be
852 calculated on those calls that match that filter.
853
854 Example: -z "megaco,srt,ip.addr==1.2.3.4" will collect stats only
855 for MEGACO packets exchanged by the host at IP address 1.2.3.4 .
856
857 -z mgcp,srt[,filter]
858
859 Collect request/response SRT (Service Response Time) data for MGCP.
860 (This is similar to -z smb,srt). Data collected is the number of
861 calls for each known MGCP Type, Minimum SRT, Maximum SRT and
862 Average SRT.
863
864 Example: -z mgcp,srt
865
866 This option can be used multiple times on the command line.
867
868 If the optional filter is provided, the stats will only be
869 calculated on those calls that match that filter.
870
871 Example: -z "mgcp,srt,ip.addr==1.2.3.4" will collect stats only for
872 MGCP packets exchanged by the host at IP address 1.2.3.4 .
873
874 -z mtp3,msus[,<filter>]
875
876 Show MTP3 MSU statistics.
877
878 -z multicast,stat[,<filter>]
879
880 Show UDP multicast stream statistics.
881
882 -z rpc,programs
883
884 Collect call/reply SRT data for all known ONC-RPC
885 programs/versions. Data collected is the number of calls for each
886 protocol/version, MinSRT, MaxSRT and AvgSRT.
887
888 -z rpc,srt,name-or-number,version[,<filter>]
889
890 Collect call/reply SRT (Service Response Time) data for program
891 name/version or number/version. Data collected is the number of
892 calls for each procedure, MinSRT, MaxSRT and AvgSRT. Program name
893 is case-insensitive.
894
895 Example: -z rpc,srt,100003,3 will collect data for NFS v3.
896
897 This option can be used multiple times on the command line.
898
899 If the optional filter is provided, the stats will only be
900 calculated on those calls that match that filter.
901
902 Example: -z rpc,srt,nfs,3,nfs.fh.hash==0x12345678 will collect NFS
903 v3 SRT statistics for a specific file.
904
905 -z scsi,srt,cmdset[,<filter>]
906
907 Collect call/reply SRT (Service Response Time) data for SCSI
908 commandset <cmdset>.
909
910 Commandsets are 0:SBC 1:SSC 5:MMC
911
912 Data collected is the number of calls for each procedure, MinSRT,
913 MaxSRT and AvgSRT.
914
915 Example: -z scsi,srt,0 will collect data for SCSI BLOCK COMMANDS
916 (SBC).
917
918 This option can be used multiple times on the command line.
919
920 If the optional filter is provided, the stats will only be
921 calculated on those calls that match that filter.
922
923 Example: -z scsi,srt,0,ip.addr==1.2.3.4 will collect SCSI SBC SRT
924 statistics for a specific iscsi/ifcp/fcip host.
925
926 -z sip,stat[,filter]
927
928 This option will activate a counter for SIP messages. You will get
929 the number of occurrences of each SIP Method and of each SIP
930 Status-Code. Additionally you also get the number of resent SIP
931 Messages (only for SIP over UDP).
932
933 Example: -z sip,stat
934
935 This option can be used multiple times on the command line.
936
937 If the optional filter is provided, the stats will only be
938 calculated on those calls that match that filter.
939
940 Example: -z "sip,stat,ip.addr==1.2.3.4" will collect stats only for
941 SIP packets exchanged by the host at IP address 1.2.3.4 .
942
943 -z smb,srt[,filter]
944
945 Collect call/reply SRT (Service Response Time) data for SMB. Data
946 collected is the number of calls for each SMB command, MinSRT,
947 MaxSRT and AvgSRT.
948
949 Example: -z smb,srt
950
951 The data will be presented as separate tables for all normal SMB
952 commands, all Transaction2 commands and all NT Transaction
953 commands. Only those commands that are seen in the capture will
954 have their stats displayed. Only the first command in a xAndX
955 command chain will be used in the calculation. So for common
956 SessionSetupAndX + TreeConnectAndX chains, only the
957 SessionSetupAndX call will be used in the statistics. This is a
958 flaw that might be fixed in the future.
959
960 This option can be used multiple times on the command line.
961
962 If the optional filter is provided, the stats will only be
963 calculated on those calls that match that filter.
964
965 Example: -z "smb,srt,ip.addr==1.2.3.4" will collect stats only for
966 SMB packets exchanged by the host at IP address 1.2.3.4 .
967
968 -z voip,calls
969
970 This option will show a window that shows VoIP calls found in the
971 capture file. This is the same window shown as when you go to the
972 Statistics Menu and choose VoIP Calls.
973
974 Example: -z voip,calls
975
976 -z wlan,stat[,<filter>]
977
978 Show IEEE 802.11 network and station statistics.
979
980 -z wsp,stat[,<filter>]
981
982 Show WSP packet counters.
983
985 --log-level <level>
986 Set the active log level. Supported levels in lowest to highest
987 order are "noisy", "debug", "info", "message", "warning",
988 "critical", and "error". Messages at each level and higher will be
989 printed, for example "warning" prints "warning", "critical", and
990 "error" messages and "noisy" prints all messages. Levels are case
991 insensitive.
992
993 --log-fatal <level>
994 Abort the program if any messages are logged at the specified level
995 or higher. For example, "warning" aborts on any "warning",
996 "critical", or "error" messages.
997
998 --log-domains <list>
999 Only print messages for the specified log domains, e.g.
1000 "GUI,Epan,sshdump". List of domains must be comma-separated.
1001
1002 --log-debug <list>
1003 Force the specified domains to log at the "debug" level. List of
1004 domains must be comma-separated.
1005
1006 --log-noisy <list>
1007 Force the specified domains to log at the "noisy" level. List of
1008 domains must be comma-separated.
1009
1010 --log-file <path>
1011 Write log messages and stderr output to the specified file.
1012
1014 MENU ITEMS
1015 File › Open, File › Open Recent, File › Merge
1016
1017 Merge another capture file to the currently loaded one. The
1018 File:Merge dialog box allows the merge "Prepended",
1019 "Chronologically" or "Appended", relative to the already loaded
1020 one.
1021
1022 File › Close
1023
1024 Open or close a capture file. The File:Open dialog box allows a
1025 filter to be specified; when the capture file is read, the filter
1026 is applied to all packets read from the file, and packets not
1027 matching the filter are discarded. The File:Open Recent is a
1028 submenu and will show a list of previously opened files.
1029
1030 File › Save, File › Save As
1031
1032 Save the current capture, or the packets currently displayed from
1033 that capture, to a file. Check boxes let you select whether to save
1034 all packets, or just those that have passed the current display
1035 filter and/or those that are currently marked, and an option menu
1036 lets you select (from a list of file formats in which at particular
1037 capture, or the packets currently displayed from that capture, can
1038 be saved), a file format in which to save it.
1039
1040 File › File Set › List Files
1041
1042 Show a dialog box that lists all files of the file set matching the
1043 currently loaded file. A file set is a compound of files resulting
1044 from a capture using the "multiple files" / "ringbuffer" mode,
1045 recognizable by the filename pattern, e.g.:
1046 Filename_00001_20230714101530.pcap.
1047
1048 File › File Set › Next File, File › File Set › Previous File
1049
1050 If the currently loaded file is part of a file set (see above),
1051 open the next / previous file in that set.
1052
1053 File › Export
1054
1055 Export captured data into an external format. Note: the data cannot
1056 be imported back into Wireshark, so be sure to keep the capture
1057 file.
1058
1059 File › Print
1060
1061 Print packet data from the current capture. You can select the
1062 range of packets to be printed (which packets are printed), and the
1063 output format of each packet (how each packet is printed). The
1064 output format will be similar to the displayed values, so a summary
1065 line, the packet details view, and/or the hex dump of the packet
1066 can be printed.
1067
1068 Printing options can be set with the Edit:Preferences menu item, or
1069 in the dialog box popped up by this menu item.
1070
1071 File › Quit
1072 Exit the application.
1073
1074 Edit › Copy › Description
1075 Copies the description of the selected field in the protocol tree
1076 to the clipboard.
1077
1078 Edit › Copy › Fieldname
1079 Copies the fieldname of the selected field in the protocol tree to
1080 the clipboard.
1081
1082 Edit › Copy › Value
1083 Copies the value of the selected field in the protocol tree to the
1084 clipboard.
1085
1086 Edit › Copy › As Filter
1087
1088 Create a display filter based on the data currently highlighted in
1089 the packet details and copy that filter to the clipboard.
1090
1091 If that data is a field that can be tested in a display filter
1092 expression, the display filter will test that field; otherwise, the
1093 display filter will be based on the absolute offset within the
1094 packet. Therefore it could be unreliable if the packet contains
1095 protocols with variable-length headers, such as a source-routed
1096 token-ring packet.
1097
1098 Edit › Find Packet
1099
1100 Search forward or backward, starting with the currently selected
1101 packet (or the most recently selected packet, if no packet is
1102 selected). Search criteria can be a display filter expression, a
1103 string of hexadecimal digits, or a text string.
1104
1105 When searching for a text string, you can search the packet data,
1106 or you can search the text in the Info column in the packet list
1107 pane or in the packet details pane.
1108
1109 Hexadecimal digits can be separated by colons, periods, or dashes.
1110 Text string searches can be ASCII or Unicode (or both), and may be
1111 case insensitive.
1112
1113 Edit › Find Next, Edit › Find Previous
1114
1115 Search forward / backward for a packet matching the filter from the
1116 previous search, starting with the currently selected packet (or
1117 the most recently selected packet, if no packet is selected).
1118
1119 Edit › Mark Packet (toggle)
1120
1121 Mark (or unmark if currently marked) the selected packet. The field
1122 "frame.marked" is set for packets that are marked, so that, for
1123 example, a display filters can be used to display only marked
1124 packets, and so that the /"Edit:Find Packet" dialog can be used to
1125 find the next or previous marked packet.
1126
1127 Edit › Find Next Mark, Edit › Find Previous Mark
1128 Find next or previous marked packet.
1129
1130 Edit › Mark All Packets, Edit › Unmark All Packets
1131 Mark or unmark all packets that are currently displayed.
1132
1133 Edit › Time Reference › Set Time Reference (toggle)
1134
1135 Set (or unset if currently set) the selected packet as a Time
1136 Reference packet. When a packet is set as a Time Reference packet,
1137 the timestamps in the packet list pane will be replaced with the
1138 string "REF". The relative time timestamp in later packets will
1139 then be calculated relative to the timestamp of this Time Reference
1140 packet and not the first packet in the capture.
1141
1142 Packets that have been selected as Time Reference packets will
1143 always be displayed in the packet list pane. Display filters will
1144 not affect or hide these packets.
1145
1146 If there is a column displayed for "Cumulative Bytes" this counter
1147 will be reset at every Time Reference packet.
1148
1149 Edit › Time Reference › Find Next, Edit › Time Reference › Find
1150 Previous
1151 Search forward or backward for a time referenced packet.
1152
1153 Edit › Configuration Profiles
1154 Manage configuration profiles to be able to use more than one set
1155 of preferences and configurations.
1156
1157 Edit › Preferences
1158 Set the GUI, capture, printing and protocol options (see
1159 /Preferences dialog below).
1160
1161 View › Main Toolbar, View › Filter Toolbar, View › Statusbar
1162 Show or hide the main window controls.
1163
1164 View › Packet List, View › Packet Details, View › Packet Bytes
1165 Show or hide the main window panes.
1166
1167 View › Time Display Format
1168 Set the format of the packet timestamp displayed in the packet list
1169 window.
1170
1171 View › Name Resolution › Resolve Name
1172 Try to resolve a name for the currently selected item.
1173
1174 View › Name Resolution › Enable for ... Layer
1175 Enable or disable translation of addresses to names in the display.
1176
1177 View › Colorize Packet List
1178 Enable or disable the coloring rules. Disabling will improve
1179 performance.
1180
1181 View › Auto Scroll in Live Capture
1182 Enable or disable the automatic scrolling of the packet list while
1183 a live capture is in progress.
1184
1185 View › Zoom In, View › Zoom Out
1186 Zoom into or out of the main window data (by changing the font
1187 size).
1188
1189 View › Normal Size
1190 Reset the zoom level back to normal font size.
1191
1192 View › Resize All Columns
1193 Resize all columns to best fit the current packet display.
1194
1195 View › Expand / Collapse Subtrees
1196 Expand or collapse the currently selected item and its subtrees in
1197 the packet details.
1198
1199 View › Expand All, View › Collapse All
1200 Expand or Collapse all branches of the packet details.
1201
1202 View › Colorize Conversation
1203 Select a color for a conversation.
1204
1205 View › Reset Coloring 1-10
1206 Reset a color for a conversation.
1207
1208 View › Coloring Rules
1209
1210 Change the foreground and background colors of the packet
1211 information in the list of packets, based upon display filters. The
1212 list of display filters is applied to each packet sequentially.
1213 After the first display filter matches a packet, any additional
1214 display filters in the list are ignored. Therefore, if you are
1215 filtering on the existence of protocols, you should list the
1216 higher-level protocols first, and the lower-level protocols last.
1217
1218 How Colorization Works
1219
1220 Packets are colored according to a list of color filters. Each
1221 filter consists of a name, a filter expression and a coloration. A
1222 packet is colored according to the first filter that it matches.
1223 Color filter expressions use exactly the same syntax as display
1224 filter expressions.
1225
1226 When Wireshark starts, the color filters are loaded from:
1227
1228 1. The user’s personal color filters file or, if that does not
1229 exist,
1230
1231 2. The global color filters file.
1232
1233 If neither of these exist then the packets will not be colored.
1234
1235 View › Show Packet In New Window
1236
1237 Create a new window containing a packet details view and a hex dump
1238 window of the currently selected packet; this window will continue
1239 to display that packet’s details and data even if another packet is
1240 selected.
1241
1242 View › Reload
1243 Reload a capture file. Same as File:Close and File:Open the same
1244 file again.
1245
1246 Go › Back
1247 Go back in previously visited packets history.
1248
1249 Go › Forward
1250 Go forward in previously visited packets history.
1251
1252 Go › Go To Packet
1253 Go to a particular numbered packet.
1254
1255 Go › Go To Corresponding Packet
1256
1257 If a field in the packet details pane containing a packet number is
1258 selected, go to the packet number specified by that field. (This
1259 works only if the dissector that put that entry into the packet
1260 details put it into the details as a filterable field rather than
1261 just as text.) This can be used, for example, to go to the packet
1262 for the request corresponding to a reply, or the reply
1263 corresponding to a request, if that packet number has been put into
1264 the packet details.
1265
1266 Go › Previous Packet, Go › Next Packet, Go › First Packet, Go › Last
1267 Packet
1268 Go to the previous, next, first, or last packet in the capture.
1269
1270 Go › Previous Packet In Conversation, Go › Next Packet In Conversation
1271 Go to the previous or next packet of the TCP, UDP or IP
1272 conversation.
1273
1274 Capture › Interfaces
1275
1276 Shows a dialog box with all currently known interfaces and
1277 displaying the current network traffic amount. Capture sessions can
1278 be started from here. Beware: keeping this box open results in high
1279 system load!
1280
1281 Capture › Options
1282
1283 Initiate a live packet capture (see /"Capture Options Dialog"
1284 below). If no filename is specified, a temporary file will be
1285 created to hold the capture. The location of the file can be chosen
1286 by setting your TMPDIR environment variable before starting
1287 Wireshark. Otherwise, the default TMPDIR location is
1288 system-dependent, but is likely either /var/tmp or /tmp.
1289
1290 Capture › Start
1291
1292 Start a live packet capture with the previously selected options.
1293 This won’t open the options dialog box, and can be convenient for
1294 repeatedly capturing with the same options.
1295
1296 Capture › Stop
1297 Stop a running live capture.
1298
1299 Capture › Restart
1300
1301 While a live capture is running, stop it and restart with the same
1302 options again. This can be convenient to remove irrelevant packets,
1303 if no valuable packets were captured so far.
1304
1305 Capture › Capture Filters
1306 Edit the saved list of capture filters, allowing filters to be
1307 added, changed, or deleted.
1308
1309 Analyze › Display Filters
1310 Edit the saved list of display filters, allowing filters to be
1311 added, changed, or deleted.
1312
1313 Analyze › Display Filter Macros
1314 Create shortcuts for complex macros.
1315
1316 Analyze › Apply as Filter
1317
1318 Create a display filter based on the data currently highlighted in
1319 the packet details and apply the filter.
1320
1321 If that data is a field that can be tested in a display filter
1322 expression, the display filter will test that field; otherwise, the
1323 display filter will be based on the absolute offset within the
1324 packet. Therefore it could be unreliable if the packet contains
1325 protocols with variable-length headers, such as a source-routed
1326 token-ring packet.
1327
1328 The Selected option creates a display filter that tests for a match
1329 of the data; the Not Selected option creates a display filter that
1330 tests for a non-match of the data. The And Selected, Or Selected,
1331 And Not Selected, and Or Not Selected options add to the end of the
1332 display filter in the strip at the top (or bottom) an AND or OR
1333 operator followed by the new display filter expression.
1334
1335 Analyze › Prepare as Filter
1336
1337 Create a display filter based on the data currently highlighted in
1338 the packet details. The filter strip at the top (or bottom) is
1339 updated but it is not yet applied.
1340
1341 Analyze › Enabled Protocols
1342
1343 Allow protocol dissection to be enabled or disabled for a specific
1344 protocol. Individual protocols can be enabled or disabled by
1345 clicking on them in the list or by highlighting them and pressing
1346 the space bar. The entire list can be enabled, disabled, or
1347 inverted using the buttons below the list.
1348
1349 When a protocol is disabled, dissection in a particular packet
1350 stops when that protocol is reached, and Wireshark moves on to the
1351 next packet. Any higher-layer protocols that would otherwise have
1352 been processed will not be displayed. For example, disabling TCP
1353 will prevent the dissection and display of TCP, HTTP, SMTP, Telnet,
1354 and any other protocol exclusively dependent on TCP.
1355
1356 The list of protocols can be saved, so that Wireshark will start up
1357 with the protocols in that list disabled.
1358
1359 Analyze › Decode As
1360
1361 If you have a packet selected, present a dialog allowing you to
1362 change which dissectors are used to decode this packet. The dialog
1363 has one panel each for the link layer, network layer and transport
1364 layer protocol/port numbers, and will allow each of these to be
1365 changed independently. For example, if the selected packet is a TCP
1366 packet to port 12345, using this dialog you can instruct Wireshark
1367 to decode all packets to or from that TCP port as HTTP packets.
1368
1369 Analyze › User Specified Decodes
1370
1371 Create a new window showing whether any protocol ID to dissector
1372 mappings have been changed by the user. This window also allows the
1373 user to reset all decodes to their default values.
1374
1375 Analyze › Follow TCP Stream
1376
1377 If you have a TCP packet selected, display the contents of the data
1378 stream for the TCP connection to which that packet belongs, as
1379 text, in a separate window, and leave the list of packets in a
1380 filtered state, with only those packets that are part of that TCP
1381 connection being displayed. You can revert to your old view by
1382 pressing ENTER in the display filter text box, thereby invoking
1383 your old display filter (or resetting it back to no display
1384 filter).
1385
1386 The window in which the data stream is displayed lets you select:
1387
1388 • whether to display the entire conversation, or one or the other
1389 side of it;
1390
1391 • whether the data being displayed is to be treated as ASCII or
1392 EBCDIC text or as raw hex data;
1393
1394 and lets you print what’s currently being displayed, using the same
1395 print options that are used for the File:Print Packet menu item, or
1396 save it as text to a file.
1397
1398 Analyze › Follow UDP Stream, Analyze › Follow TLS Stream
1399 Similar to Analyze:Follow TCP Stream.
1400
1401 Analyze › Expert Info, Analyze › Expert Info Composite
1402 Show anomalies found by Wireshark in a capture file.
1403
1404 Analyze › Conversation Filter, Statistics › Summary
1405
1406 Show summary information about the capture, including elapsed time,
1407 packet counts, byte counts, and the like. If a display filter is in
1408 effect, summary information will be shown about the capture and
1409 about the packets currently being displayed.
1410
1411 Statistics › Protocol Hierarchy
1412
1413 Show the number of packets, and the number of bytes in those
1414 packets, for each protocol in the trace. It organizes the protocols
1415 in the same hierarchy in which they were found in the trace.
1416 Besides counting the packets in which the protocol exists, a count
1417 is also made for packets in which the protocol is the last protocol
1418 in the stack. These last-protocol counts show you how many packets
1419 (and the byte count associated with those packets) ended in a
1420 particular protocol. In the table, they are listed under "End
1421 Packets" and "End Bytes".
1422
1423 Statistics › Conversations
1424 Lists of conversations; selectable by protocol. See
1425 Statistics:Conversation List below.
1426
1427 Statistics › End Points
1428 List of End Point Addresses by protocol with packets, bytes, and
1429 other counts.
1430
1431 Statistics › Packet Lengths
1432 Grouped counts of packet lengths (0-19 bytes, 20-39 bytes, ...)
1433
1434 Statistics › I/O Graphs
1435
1436 Open a window where up to 5 graphs in different colors can be
1437 displayed to indicate number of packets or number of bytes per
1438 second for all packets matching the specified filter. By default
1439 only one graph will be displayed showing number of packets per
1440 second.
1441
1442 The top part of the window contains the graphs and scales for the X
1443 and Y axis. If the graph is too long to fit inside the window there
1444 is a horizontal scrollbar below the drawing area that can scroll
1445 the graphs to the left or the right. The horizontal axis displays
1446 the time into the capture and the vertical axis will display the
1447 measured quantity at that time.
1448
1449 Below the drawing area and the scrollbar are the controls. On the
1450 bottom left there will be five similar sets of controls to control
1451 each individual graph such as "Display:<button>" which button will
1452 toggle that individual graph on/off. If <button> is ticked, the
1453 graph will be displayed. "Color:<color>" which is just a button to
1454 show which color will be used to draw that graph. Finally
1455 "Filter:<filter-text>" which can be used to specify a display
1456 filter for that particular graph.
1457
1458 If filter-text is empty then all packets will be used to calculate
1459 the quantity for that graph. If filter-text is specified only those
1460 packets that match that display filter will be considered in the
1461 calculation of quantity.
1462
1463 To the right of the 5 graph controls there are four menus to
1464 control global aspects of the draw area and graphs. The "Unit:"
1465 menu is used to control what to measure; "packets/tick",
1466 "bytes/tick" or "advanced..."
1467
1468 packets/tick will measure the number of packets matching the (if
1469 specified) display filter for the graph in each measurement
1470 interval.
1471
1472 bytes/tick will measure the total number of bytes in all packets
1473 matching the (if specified) display filter for the graph in each
1474 measurement interval.
1475
1476 advanced... see below
1477
1478 "Tick interval:" specifies what measurement intervals to use. The
1479 default is 1 second and means that the data will be counted over 1
1480 second intervals.
1481
1482 "Pixels per tick:" specifies how many pixels wide each measurement
1483 interval will be in the drawing area. The default is 5 pixels per
1484 tick.
1485
1486 "Y-scale:" controls the max value for the y-axis. Default value is
1487 "auto" which means that Wireshark will try to adjust the maxvalue
1488 automatically.
1489
1490 "advanced..." If Unit:advanced... is selected the window will
1491 display two more controls for each of the five graphs. One control
1492 will be a menu where the type of calculation can be selected from
1493 SUM,COUNT,MAX,MIN,AVG and LOAD, and one control, textbox, where the
1494 name of a single display filter field can be specified.
1495
1496 The following restrictions apply to type and field combinations:
1497
1498 SUM: available for all types of integers and will calculate the SUM
1499 of all occurrences of this field in the measurement interval. Note
1500 that some field can occur multiple times in the same packet and
1501 then all instances will be summed up. Example: 'tcp.len' which will
1502 count the amount of payload data transferred across TCP in each
1503 interval.
1504
1505 COUNT: available for all field types. This will COUNT the number of
1506 times certain field occurs in each interval. Note that some fields
1507 may occur multiple times in each packet and if that is the case
1508 then each instance will be counted independently and COUNT will be
1509 greater than the number of packets.
1510
1511 MAX: available for all integer and relative time fields. This will
1512 calculate the max seen integer/time value seen for the field during
1513 the interval. Example: 'smb.time' which will plot the maximum SMB
1514 response time.
1515
1516 MIN: available for all integer and relative time fields. This will
1517 calculate the min seen integer/time value seen for the field during
1518 the interval. Example: 'smb.time' which will plot the minimum SMB
1519 response time.
1520
1521 AVG: available for all integer and relative time fields.This will
1522 calculate the average seen integer/time value seen for the field
1523 during the interval. Example: 'smb.time' which will plot the
1524 average SMB response time.
1525
1526 LOAD: available only for relative time fields (response times).
1527
1528 Example of advanced: Display how NFS response time MAX/MIN/AVG
1529 changes over time:
1530
1531 Set first graph to:
1532
1533 filter:nfs&&rpc.time
1534 Calc:MAX rpc.time
1535
1536 Set second graph to
1537
1538 filter:nfs&&rpc.time
1539 Calc:AVG rpc.time
1540
1541 Set third graph to
1542
1543 filter:nfs&&rpc.time
1544 Calc:MIN rpc.time
1545
1546 Example of advanced: Display how the average packet size from host
1547 a.b.c.d changes over time.
1548
1549 Set first graph to
1550
1551 filter:ip.addr==a.b.c.d&&frame.pkt_len
1552 Calc:AVG frame.pkt_len
1553
1554 LOAD: The LOAD io-stat type is very different from anything you
1555 have ever seen before! While the response times themselves as
1556 plotted by MIN,MAX,AVG are indications on the Server load (which
1557 affects the Server response time), the LOAD measurement measures
1558 the Client LOAD. What this measures is how much workload the client
1559 generates, i.e. how fast will the client issue new commands when
1560 the previous ones completed. i.e. the level of concurrency the
1561 client can maintain. The higher the number, the more and faster is
1562 the client issuing new commands. When the LOAD goes down, it may be
1563 due to client load making the client slower in issuing new commands
1564 (there may be other reasons as well, maybe the client just doesn’t
1565 have any commands it wants to issue right then).
1566
1567 Load is measured in concurrency/number of overlapping i/o and the
1568 value 1000 means there is a constant load of one i/o.
1569
1570 In each tick interval the amount of overlap is measured. See the
1571 graph below containing three commands: Below the graph are the LOAD
1572 values for each interval that would be calculated.
1573
1574 | | | | | | | | |
1575 | | | | | | | | |
1576 | | o=====* | | | | | |
1577 | | | | | | | | |
1578 | o========* | o============* | | |
1579 | | | | | | | | |
1580 --------------------------------------------------> Time
1581 500 1500 500 750 1000 500 0 0
1582
1583 Statistics › Conversation List
1584
1585 This option will open a new window that displays a list of all
1586 conversations between two endpoints. The list has one row for each
1587 unique conversation and displays total number of packets/bytes seen
1588 as well as number of packets/bytes in each direction.
1589
1590 By default the list is sorted according to the number of packets
1591 but by clicking on the column header; it is possible to re-sort the
1592 list in ascending or descending order by any column.
1593
1594 By first selecting a conversation by clicking on it and then using
1595 the right mouse button (on those platforms that have a right mouse
1596 button) Wireshark will display a popup menu offering several
1597 different filter operations to apply to the capture.
1598
1599 These statistics windows can also be invoked from the Wireshark
1600 command line using the -z conv argument.
1601
1602 Statistics › Service Response Time
1603
1604 • AFP
1605
1606 • CAMEL
1607
1608 • DCE-RPC
1609
1610 Open a window to display Service Response Time statistics for an
1611 arbitrary DCE-RPC program interface and display Procedure, Number
1612 of Calls, Minimum SRT, Maximum SRT and Average SRT for all
1613 procedures for that program/version. These windows opened will
1614 update in semi-real time to reflect changes when doing live
1615 captures or when reading new capture files into Wireshark.
1616
1617 This dialog will also allow an optional filter string to be used.
1618 If an optional filter string is used only such DCE-RPC
1619 request/response pairs that match that filter will be used to
1620 calculate the statistics. If no filter string is specified all
1621 request/response pairs will be used.
1622
1623 • Diameter
1624
1625 • Fibre Channel
1626
1627 Open a window to display Service Response Time statistics for Fibre
1628 Channel and display FC Type, Number of Calls, Minimum SRT, Maximum
1629 SRT and Average SRT for all FC types. These windows opened will
1630 update in semi-real time to reflect changes when doing live
1631 captures or when reading new capture files into Wireshark. The
1632 Service Response Time is calculated as the time delta between the
1633 First packet of the exchange and the Last packet of the exchange.
1634
1635 This dialog will also allow an optional filter string to be used.
1636 If an optional filter string is used only such FC first/last
1637 exchange pairs that match that filter will be used to calculate the
1638 statistics. If no filter string is specified all request/response
1639 pairs will be used.
1640
1641 • GTP
1642
1643 • H.225 RAS
1644
1645 Collect requests/response SRT (Service Response Time) data for
1646 ITU-T H.225 RAS. Data collected is number of calls for each known
1647 ITU-T H.225 RAS Message Type, Minimum SRT, Maximum SRT, Average
1648 SRT, Minimum in Packet, and Maximum in Packet. You will also get
1649 the number of Open Requests (Unresponded Requests), Discarded
1650 Responses (Responses without matching request) and Duplicate
1651 Messages. These windows opened will update in semi-real time to
1652 reflect changes when doing live captures or when reading new
1653 capture files into Wireshark.
1654
1655 You can apply an optional filter string in a dialog box, before
1656 starting the calculation. The statistics will only be calculated on
1657 those calls matching that filter.
1658
1659 • LDAP
1660
1661 • MEGACO
1662
1663 • MGCP
1664
1665 Collect requests/response SRT (Service Response Time) data for
1666 MGCP. Data collected is number of calls for each known MGCP Type,
1667 Minimum SRT, Maximum SRT, Average SRT, Minimum in Packet, and
1668 Maximum in Packet. These windows opened will update in semi-real
1669 time to reflect changes when doing live captures or when reading
1670 new capture files into Wireshark.
1671
1672 You can apply an optional filter string in a dialog box, before
1673 starting the calculation. The statistics will only be calculated on
1674 those calls matching that filter.
1675
1676 • NCP
1677
1678 • ONC-RPC
1679
1680 Open a window to display statistics for an arbitrary ONC-RPC
1681 program interface and display Procedure, Number of Calls, Minimum
1682 SRT, Maximum SRT and Average SRT for all procedures for that
1683 program/version. These windows opened will update in semi-real time
1684 to reflect changes when doing live captures or when reading new
1685 capture files into Wireshark.
1686
1687 This dialog will also allow an optional filter string to be used.
1688 If an optional filter string is used only such ONC-RPC
1689 request/response pairs that match that filter will be used to
1690 calculate the statistics. If no filter string is specified all
1691 request/response pairs will be used.
1692
1693 By first selecting a conversation by clicking on it and then using
1694 the right mouse button (on those platforms that have a right mouse
1695 button) Wireshark will display a popup menu offering several
1696 different filter operations to apply to the capture.
1697
1698 • RADIUS
1699
1700 • SCSI
1701
1702 • SMB
1703
1704 Collect call/reply SRT (Service Response Time) data for SMB. Data
1705 collected is the number of calls for each SMB command, MinSRT,
1706 MaxSRT and AvgSRT.
1707
1708 The data will be presented as separate tables for all normal SMB
1709 commands, all Transaction2 commands and all NT Transaction
1710 commands. Only those commands that are seen in the capture will
1711 have its stats displayed. Only the first command in a xAndX command
1712 chain will be used in the calculation. So for common
1713 SessionSetupAndX + TreeConnectAndX chains, only the
1714 SessionSetupAndX call will be used in the statistics. This is a
1715 flaw that might be fixed in the future.
1716
1717 You can apply an optional filter string in a dialog box, before
1718 starting the calculation. The stats will only be calculated on
1719 those calls matching that filter.
1720
1721 By first selecting a conversation by clicking on it and then using
1722 the right mouse button (on those platforms that have a right mouse
1723 button) Wireshark will display a popup menu offering several
1724 different filter operations to apply to the capture.
1725
1726 • SMB2
1727
1728 Statistics › BOOTP-DHCP
1729 Show DHCP statistics.
1730
1731 Statistics › Compare
1732 Compare two capture files.
1733
1734 Statistics › Flow Graph
1735 Show protocol flows.
1736
1737 Statistics › HTTP
1738 HTTP Load Distribution, Packet Counter & Requests.
1739
1740 Statistics › IP Addresses
1741 Count, Rate, and Percent by IP Address.
1742
1743 Statistics › IP Destinations
1744 Count, Rate, and Percent by IP Address, protocol, and port.
1745
1746 Statistics › IP Protocol Types
1747 Count, Rate, and Percent by IP Protocol Types.
1748
1749 Statistics › ONC-RPC Programs
1750 This dialog will open a window showing aggregated SRT statistics
1751 for all ONC-RPC Programs/versions that exist in the capture file.
1752
1753 Statistics › TCP Stream Graph
1754 Show Round Trip, Throughput, Time-Sequence (Stevens), or
1755 Time-Sequence (tcptrace) graphs.
1756
1757 Statistics › UDP Multicast streams
1758 Multicast Streams counts, rates, and other statistics by source and
1759 destination address and port pairs.
1760
1761 Statistics › WLAN Traffic
1762 WLAN Traffic Statistics.
1763
1764 Telephony › ITU-T H.225
1765
1766 Count ITU-T H.225 messages and their reasons. In the first column
1767 you get a list of H.225 messages and H.225 message reasons, which
1768 occur in the current capture file. The number of occurrences of
1769 each message or reason will be displayed in the second column. This
1770 window opened will update in semi-real time to reflect changes when
1771 doing live captures or when reading new capture files into
1772 Wireshark.
1773
1774 You can apply an optional filter string in a dialog box, before
1775 starting the counter. The statistics will only be calculated on
1776 those calls matching that filter.
1777
1778 Telephony › SIP
1779
1780 Activate a counter for SIP messages. You will get the number of
1781 occurrences of each SIP Method and of each SIP Status-Code.
1782 Additionally you also get the number of resent SIP Messages (only
1783 for SIP over UDP).
1784
1785 This window opened will update in semi-real time to reflect changes
1786 when doing live captures or when reading new capture files into
1787 Wireshark.
1788
1789 You can apply an optional filter string in a dialog box, before
1790 starting the counter. The statistics will only be calculated on
1791 those calls matching that filter.
1792
1793 Tools › Firewall ACL Rules
1794 Generate firewall rules for a selected packet.
1795
1796 Help › Contents
1797 Display the User’s Guide.
1798
1799 Help › Supported Protocols
1800 List of supported protocols and display filter protocol fields.
1801
1802 Help › Manual Pages
1803 Display locally installed HTML versions of these manual pages in a
1804 web browser.
1805
1806 Help › Wireshark Online
1807 Various links to online resources to be open in a web browser, like
1808 https://www.wireshark.org.
1809
1810 Help › About Wireshark
1811 See various information about Wireshark (see /About dialog below),
1812 like the version, the folders used, the available plugins, ...
1813
1814 WINDOWS
1815 Main Window
1816
1817 The main window contains the usual things like the menu, some
1818 toolbars, the main area and a statusbar. The main area is split
1819 into three panes, you can resize each pane using a "thumb" at the
1820 right end of each divider line.
1821
1822 The main window is much more flexible than before. The layout of
1823 the main window can be customized by the Layout page in the dialog
1824 box popped up by Edit:Preferences, the following will describe the
1825 layout with the default settings.
1826
1827 Main Toolbar
1828
1829 Some menu items are available for quick access here. There is no
1830 way to customize the items in the toolbar, however the toolbar can
1831 be hidden by View:Main Toolbar.
1832
1833 Filter Toolbar
1834
1835 A display filter can be entered into the filter toolbar. A filter
1836 for HTTP, HTTPS, and DNS traffic might look like this:
1837
1838 tcp.port in {80 443 53}
1839
1840 Selecting the Filter: button lets you choose from a list of named
1841 filters that you can optionally save. Pressing the Return or Enter
1842 keys, or selecting the Apply button, will cause the filter to be
1843 applied to the current list of packets. Selecting the Reset button
1844 clears the display filter so that all packets are displayed
1845 (again).
1846
1847 There is no way to customize the items in the toolbar, however the
1848 toolbar can be hidden by View:Filter Toolbar.
1849
1850 Packet List Pane
1851
1852 The top pane contains the list of network packets that you can
1853 scroll through and select. By default, the packet number, packet
1854 timestamp, source and destination addresses, protocol, and
1855 description are displayed for each packet; the Columns page in the
1856 dialog box popped up by Edit:Preferences lets you change this
1857 (although, unfortunately, you currently have to save the
1858 preferences, and exit and restart Wireshark, for those changes to
1859 take effect).
1860
1861 If you click on the heading for a column, the display will be
1862 sorted by that column; clicking on the heading again will reverse
1863 the sort order for that column.
1864
1865 An effort is made to display information as high up the protocol
1866 stack as possible, e.g. IP addresses are displayed for IP packets,
1867 but the MAC layer address is displayed for unknown packet types.
1868
1869 The right mouse button can be used to pop up a menu of operations.
1870
1871 The middle mouse button can be used to mark a packet.
1872
1873 Packet Details Pane
1874
1875 The middle pane contains a display of the details of the
1876 currently-selected packet. The display shows each field and its
1877 value in each protocol header in the stack. The right mouse button
1878 can be used to pop up a menu of operations.
1879
1880 Packet Bytes Pane
1881
1882 The lowest pane contains a hex and ASCII dump of the actual packet
1883 data. Selecting a field in the packet details highlights the
1884 corresponding bytes in this section.
1885
1886 The right mouse button can be used to pop up a menu of operations.
1887
1888 Statusbar
1889
1890 The statusbar is divided into three parts, on the left some context
1891 dependent things are shown, like information about the loaded file,
1892 in the center the number of packets are displayed, and on the right
1893 the current configuration profile.
1894
1895 The statusbar can be hidden by View:Statusbar.
1896
1897 Preferences
1898 Adjust the behavior of Wireshark.
1899
1900 User Interface Preferences
1901 Modify the UI to your own personal tastes.
1902
1903 Selection Bars
1904
1905 The selection bar in the packet list and packet details can have
1906 either a "browse" or "select" behavior. If the selection bar has a
1907 "browse" behavior, the arrow keys will move an outline of the
1908 selection bar, allowing you to browse the rest of the list or
1909 details without changing the selection until you press the space
1910 bar. If the selection bar has a "select" behavior, the arrow keys
1911 will move the selection bar and change the selection to the new
1912 item in the packet list or packet details.
1913
1914 Save Window Position
1915
1916 If this item is selected, the position of the main Wireshark window
1917 will be saved when Wireshark exits, and used when Wireshark is
1918 started again.
1919
1920 Save Window Size
1921
1922 If this item is selected, the size of the main Wireshark window
1923 will be saved when Wireshark exits, and used when Wireshark is
1924 started again.
1925
1926 Save Window Maximized state
1927
1928 If this item is selected the maximize state of the main Wireshark
1929 window will be saved when Wireshark exists, and used when Wireshark
1930 is started again.
1931
1932 File Open Dialog Behavior
1933
1934 This item allows the user to select how Wireshark handles the
1935 listing of the "File Open" Dialog when opening trace files.
1936 "Remember Last Directory" causes Wireshark to automatically
1937 position the dialog in the directory of the most recently opened
1938 file, even between launches of Wireshark. "Always Open in
1939 Directory" allows the user to define a persistent directory that
1940 the dialog will always default to.
1941
1942 Directory
1943
1944 Allows the user to specify a persistent File Open directory.
1945 Trailing slashes or backslashes will automatically be added.
1946
1947 File Open Preview timeout
1948
1949 This items allows the user to define how much time is spend reading
1950 the capture file to present preview data in the File Open dialog.
1951
1952 Open Recent maximum list entries
1953
1954 The File menu supports a recent file list. This items allows the
1955 user to specify how many files are kept track of in this list.
1956
1957 Ask for unsaved capture files
1958
1959 When closing a capture file or Wireshark itself if the file isn’t
1960 saved yet the user is presented the option to save the file when
1961 this item is set.
1962
1963 Wrap during find
1964
1965 This items determines the behavior when reaching the beginning or
1966 the end of a capture file. When set the search wraps around and
1967 continues, otherwise it stops.
1968
1969 Settings dialogs show a save button
1970
1971 This item determines if the various dialogs sport an explicit Save
1972 button or that save is implicit in OK / Apply.
1973
1974 Web browser command
1975
1976 This entry specifies the command line to launch a web browser. It
1977 is used to access online content, like the Wiki and user guide. Use
1978 '%s' to place the request URL in the command line.
1979
1980 Layout Preferences
1981
1982 The Layout page lets you specify the general layout of the main
1983 window. You can choose from six different layouts and fill the
1984 three panes with the contents you like.
1985
1986 Scrollbars
1987
1988 The vertical scrollbars in the three panes can be set to be either
1989 on the left or the right.
1990
1991 Alternating row colors, Hex Display
1992
1993 The highlight method in the hex dump display for the selected
1994 protocol item can be set to use either inverse video, or bold
1995 characters.
1996
1997 Toolbar style, Filter toolbar placement, Custom window title, Column
1998 Preferences
1999
2000 The Columns page lets you specify the number, title, and format of
2001 each column in the packet list.
2002
2003 The Column title entry is used to specify the title of the column
2004 displayed at the top of the packet list. The type of data that the
2005 column displays can be specified using the Column format option
2006 menu. The row of buttons on the left perform the following actions:
2007
2008 New
2009 Adds a new column to the list.
2010
2011 Delete
2012 Deletes the currently selected list item.
2013
2014 Up / Down
2015 Moves the selected list item up or down one position.
2016
2017 Font Preferences
2018 The Font page lets you select the font to be used for most text.
2019
2020 Color Preferences
2021
2022 The Colors page can be used to change the color of the text
2023 displayed in the TCP stream window and for marked packets. To
2024 change a color, simply select an attribute from the "Set:" menu and
2025 use the color selector to get the desired color. The new text
2026 colors are displayed as a sample text.
2027
2028 Capture Preferences
2029
2030 The Capture page lets you specify various parameters for capturing
2031 live packet data; these are used the first time a capture is
2032 started.
2033
2034 The Interface: combo box lets you specify the interface from which
2035 to capture packet data, or the name of a FIFO from which to get the
2036 packet data.
2037
2038 The Data link type: option menu lets you, for some interfaces,
2039 select the data link header you want to see on the packets you
2040 capture. For example, in some OSes and with some versions of
2041 libpcap, you can choose, on an 802.11 interface, whether the
2042 packets should appear as Ethernet packets (with a fake Ethernet
2043 header) or as 802.11 packets.
2044
2045 The Limit each packet to ... bytes check box lets you set the
2046 snapshot length to use when capturing live data; turn on the check
2047 box, and then set the number of bytes to use as the snapshot
2048 length.
2049
2050 The Filter: text entry lets you set a capture filter expression to
2051 be used when capturing.
2052
2053 If any of the environment variables SSH_CONNECTION, SSH_CLIENT,
2054 REMOTEHOST, DISPLAY, or SESSIONNAME are set, Wireshark will create
2055 a default capture filter that excludes traffic from the hosts and
2056 ports defined in those variables.
2057
2058 The Capture packets in promiscuous mode check box lets you specify
2059 whether to put the interface in promiscuous mode when capturing.
2060
2061 The Update list of packets in real time check box lets you specify
2062 that the display should be updated as packets are seen.
2063
2064 The Automatic scrolling in live capture check box lets you specify
2065 whether, in an "Update list of packets in real time" capture, the
2066 packet list pane should automatically scroll to show the most
2067 recently captured packets.
2068
2069 Printing Preferences
2070
2071 The radio buttons at the top of the Printing page allow you choose
2072 between printing packets with the File:Print Packet menu item as
2073 text or PostScript, and sending the output directly to a command or
2074 saving it to a file. The Command: text entry box, on
2075 UNIX-compatible systems, is the command to send files to (usually
2076 lpr), and the File: entry box lets you enter the name of the file
2077 you wish to save to. Additionally, you can select the File: button
2078 to browse the file system for a particular save file.
2079
2080 Name Resolution Preferences
2081
2082 The Enable MAC name resolution, Enable network name resolution and
2083 Enable transport name resolution check boxes let you specify
2084 whether MAC addresses, network addresses, and transport-layer port
2085 numbers should be translated to names.
2086
2087 The Enable concurrent DNS name resolution allows Wireshark to send
2088 out multiple name resolution requests and not wait for the result
2089 before continuing dissection. This speeds up dissection with
2090 network name resolution but initially may miss resolutions. The
2091 number of concurrent requests can be set here as well.
2092
2093 SMI paths
2094
2095 SMI modules
2096
2097 RTP Player Preferences
2098
2099 This page allows you to select the number of channels visible in
2100 the RTP player window. It determines the height of the window, more
2101 channels are possible and visible by means of a scroll bar.
2102
2103 Protocol Preferences
2104
2105 There are also pages for various protocols that Wireshark dissects,
2106 controlling the way Wireshark handles those protocols.
2107
2108 Edit Capture Filter List, Edit Display Filter List, Capture Filter,
2109 Display Filter, Read Filter, Search Filter
2110
2111 The Edit Capture Filter List dialog lets you create, modify, and
2112 delete capture filters, and the Edit Display Filter List dialog
2113 lets you create, modify, and delete display filters.
2114
2115 The Capture Filter dialog lets you do all of the editing operations
2116 listed, and also lets you choose or construct a filter to be used
2117 when capturing packets.
2118
2119 The Display Filter dialog lets you do all of the editing operations
2120 listed, and also lets you choose or construct a filter to be used
2121 to filter the current capture being viewed.
2122
2123 The Read Filter dialog lets you do all of the editing operations
2124 listed, and also lets you choose or construct a filter to be used
2125 to as a read filter for a capture file you open.
2126
2127 The Search Filter dialog lets you do all of the editing operations
2128 listed, and also lets you choose or construct a filter expression
2129 to be used in a find operation.
2130
2131 In all of those dialogs, the Filter name entry specifies a
2132 descriptive name for a filter, e.g. Web and DNS traffic. The Filter
2133 string entry is the text that actually describes the filtering
2134 action to take, as described above.The dialog buttons perform the
2135 following actions:
2136
2137 New
2138 If there is text in the two entry boxes, creates a new associated
2139 list item.
2140
2141 Edit
2142 Modifies the currently selected list item to match what’s in the
2143 entry boxes.
2144
2145 Delete
2146 Deletes the currently selected list item.
2147
2148 Add Expression...
2149
2150 For display filter expressions, pops up a dialog box to allow you
2151 to construct a filter expression to test a particular field; it
2152 offers lists of field names, and, when appropriate, lists from
2153 which to select tests to perform on the field and values with which
2154 to compare it. In that dialog box, the OK button will cause the
2155 filter expression you constructed to be entered into the Filter
2156 string entry at the current cursor position.
2157
2158 OK
2159
2160 In the Capture Filter dialog, closes the dialog box and makes the
2161 filter in the Filter string entry the filter in the Capture
2162 Preferences dialog. In the Display Filter dialog, closes the dialog
2163 box and makes the filter in the Filter string entry the current
2164 display filter, and applies it to the current capture. In the Read
2165 Filter dialog, closes the dialog box and makes the filter in the
2166 Filter string entry the filter in the Open Capture File dialog. In
2167 the Search Filter dialog, closes the dialog box and makes the
2168 filter in the Filter string entry the filter in the Find Packet
2169 dialog.
2170
2171 Apply
2172 Makes the filter in the Filter string entry the current display
2173 filter, and applies it to the current capture.
2174
2175 Save
2176
2177 If the list of filters being edited is the list of capture filters,
2178 saves the current filter list to the personal capture filters file,
2179 and if the list of filters being edited is the list of display
2180 filters, saves the current filter list to the personal display
2181 filters file.
2182
2183 Close
2184 Closes the dialog without doing anything with the filter in the
2185 Filter string entry.
2186
2187 The Color Filters Dialog
2188 This dialog displays a list of color filters and allows it to be
2189 modified.
2190
2191 THE FILTER LIST
2192
2193 Single rows may be selected by clicking. Multiple rows may be
2194 selected by using the ctrl and shift keys in combination with the
2195 mouse button.
2196
2197 NEW
2198
2199 Adds a new filter at the bottom of the list and opens the Edit
2200 Color Filter dialog box. You will have to alter the filter
2201 expression at least before the filter will be accepted. The format
2202 of color filter expressions is identical to that of display
2203 filters. The new filter is selected, so it may immediately be moved
2204 up and down, deleted or edited. To avoid confusion all filters are
2205 unselected before the new filter is created.
2206
2207 EDIT
2208
2209 Opens the Edit Color Filter dialog box for the selected filter. (If
2210 this button is disabled you may have more than one filter selected,
2211 making it ambiguous which is to be edited.)
2212
2213 ENABLE
2214 Enables the selected color filter(s).
2215
2216 DISABLE
2217 Disables the selected color filter(s).
2218
2219 DELETE
2220 Deletes the selected color filter(s).
2221
2222 EXPORT
2223
2224 Allows you to choose a file in which to save the current list of
2225 color filters. You may also choose to save only the selected
2226 filters. A button is provided to save the filters in the global
2227 color filters file (you must have sufficient permissions to write
2228 this file, of course).
2229
2230 IMPORT
2231
2232 Allows you to choose a file containing color filters which are then
2233 added to the bottom of the current list. All the added filters are
2234 selected, so they may be moved to the correct position in the list
2235 as a group. To avoid confusion, all filters are unselected before
2236 the new filters are imported. A button is provided to load the
2237 filters from the global color filters file.
2238
2239 CLEAR
2240 Deletes your personal color filters file, reloads the global color
2241 filters file, if any, and closes the dialog.
2242
2243 UP
2244 Moves the selected filter(s) up the list, making it more likely
2245 that they will be used to color packets.
2246
2247 DOWN
2248 Moves the selected filter(s) down the list, making it less likely
2249 that they will be used to color packets.
2250
2251 OK
2252 Closes the dialog and uses the color filters as they stand.
2253
2254 APPLY
2255 Colors the packets according to the current list of color filters,
2256 but does not close the dialog.
2257
2258 SAVE
2259
2260 Saves the current list of color filters in your personal color
2261 filters file. Unless you do this they will not be used the next
2262 time you start Wireshark.
2263
2264 CLOSE
2265
2266 Closes the dialog without changing the coloration of the packets.
2267 Note that changes you have made to the current list of color
2268 filters are not undone.
2269
2270 Capture Options Dialog
2271
2272 The Capture Options Dialog lets you specify various parameters for
2273 capturing live packet data.
2274
2275 The Interface: field lets you specify the interface from which to
2276 capture packet data or a command from which to get the packet data
2277 via a pipe.
2278
2279 The Link layer header type: field lets you specify the interfaces
2280 link layer header type. This field is usually disabled, as most
2281 interface have only one header type.
2282
2283 The Capture packets in promiscuous mode check box lets you specify
2284 whether the interface should be put into promiscuous mode when
2285 capturing.
2286
2287 The Limit each packet to ... bytes check box and field lets you
2288 specify a maximum number of bytes per packet to capture and save;
2289 if the check box is not checked, the limit will be 262144 bytes.
2290
2291 The Capture Filter: entry lets you specify the capture filter using
2292 a tcpdump-style filter string as described above.
2293
2294 The File: entry lets you specify the file into which captured
2295 packets should be saved, as in the Printer Options dialog above. If
2296 not specified, the captured packets will be saved in a temporary
2297 file; you can save those packets to a file with the File:Save As
2298 menu item.
2299
2300 The Use multiple files check box lets you specify that the capture
2301 should be done in "multiple files" mode. This option is disabled,
2302 if the Update list of packets in real time option is checked.
2303
2304 The Next file every ... megabyte(s) check box and fields lets you
2305 specify that a switch to a next file should be done if the
2306 specified filesize is reached. You can also select the appropriate
2307 unit, but beware that the filesize has a maximum of 2 GiB. The
2308 check box is forced to be checked, as "multiple files" mode
2309 requires a file size to be specified.
2310
2311 The Next file every ... minute(s) check box and fields lets you
2312 specify that the switch to a next file should be done after the
2313 specified time has elapsed, even if the specified capture size is
2314 not reached.
2315
2316 The Ring buffer with ... files field lets you specify the number of
2317 files of a ring buffer. This feature will capture into the first
2318 file again, after the specified number of files have been used.
2319
2320 The Stop capture after ... files field lets you specify the number
2321 of capture files used, until the capture is stopped.
2322
2323 The Stop capture after ... packet(s) check box and field let you
2324 specify that Wireshark should stop capturing after having captured
2325 some number of packets; if the check box is not checked, Wireshark
2326 will not stop capturing at some fixed number of captured packets.
2327
2328 The Stop capture after ... megabyte(s) check box and field lets you
2329 specify that Wireshark should stop capturing after the file to
2330 which captured packets are being saved grows as large as or larger
2331 than some specified number of megabytes. If the check box is not
2332 checked, Wireshark will not stop capturing at some capture file
2333 size (although the operating system on which Wireshark is running,
2334 or the available disk space, may still limit the maximum size of a
2335 capture file). This option is disabled, if "multiple files" mode is
2336 used,
2337
2338 The Stop capture after ... second(s) check box and field let you
2339 specify that Wireshark should stop capturing after it has been
2340 capturing for some number of seconds; if the check box is not
2341 checked, Wireshark will not stop capturing after some fixed time
2342 has elapsed.
2343
2344 The Update list of packets in real time check box lets you specify
2345 whether the display should be updated as packets are captured and,
2346 if you specify that, the Automatic scrolling in live capture check
2347 box lets you specify the packet list pane should automatically
2348 scroll to show the most recently captured packets as new packets
2349 arrive.
2350
2351 The Enable MAC name resolution, Enable network name resolution and
2352 Enable transport name resolution check boxes let you specify
2353 whether MAC addresses, network addresses, and transport-layer port
2354 numbers should be translated to names.
2355
2356 About
2357 The About dialog lets you view various information about Wireshark.
2358
2359 About › Wireshark
2360
2361 The Wireshark page lets you view general information about
2362 Wireshark, like the installed version, licensing information and
2363 such.
2364
2365 About › Authors
2366 The Authors page shows the author and all contributors.
2367
2368 About › Folders
2369
2370 The Folders page lets you view the directory names where Wireshark
2371 is searching it’s various configuration and other files.
2372
2373 About › Plugins
2374
2375 The Plugins page lets you view the dissector plugin modules
2376 available on your system.
2377
2378 The Plugins List shows the name and version of each dissector
2379 plugin module found on your system.
2380
2381 On Unix-compatible systems, the plugins are looked for in the
2382 following directories: the lib/wireshark/plugins/$VERSION directory
2383 under the main installation directory (for example,
2384 /usr/local/lib/wireshark/plugins/$VERSION), and then
2385 $HOME/.wireshark/plugins.
2386
2387 On Windows systems, the plugins are looked for in the following
2388 directories: plugins\$VERSION directory under the main installation
2389 directory (for example, C:\Program
2390 Files\Wireshark\plugins\$VERSION), and then
2391 %APPDATA%\Wireshark\plugins\$VERSION (or, if %APPDATA% isn’t
2392 defined, %USERPROFILE%\Application
2393 Data\Wireshark\plugins\$VERSION).
2394
2395 $VERSION is the version number of the plugin interface, which is
2396 typically the version number of Wireshark. Note that a dissector
2397 plugin module may support more than one protocol; there is not
2398 necessarily a one-to-one correspondence between dissector plugin
2399 modules and protocols. Protocols supported by a dissector plugin
2400 module are enabled and disabled using the Edit:Protocols dialog
2401 box, just as protocols built into Wireshark are.
2402
2404 See the manual page of pcap-filter(7) or, if that doesn’t exist,
2405 tcpdump(8), or, if that doesn’t exist,
2406 https://gitlab.com/wireshark/wireshark/-/wikis/CaptureFilters.
2407
2409 For a complete table of protocol and protocol fields that are
2410 filterable in Wireshark see the wireshark-filter(4) manual page.
2411
2413 These files contains various Wireshark configuration settings.
2414
2415 Preferences
2416
2417 The preferences files contain global (system-wide) and personal
2418 preference settings. If the system-wide preference file exists, it
2419 is read first, overriding the default settings. If the personal
2420 preferences file exists, it is read next, overriding any previous
2421 values. Note: If the command line flag -o is used (possibly more
2422 than once), it will in turn override values from the preferences
2423 files.
2424
2425 The preferences settings are in the form prefname:value, one per
2426 line, where prefname is the name of the preference and value is the
2427 value to which it should be set; white space is allowed between :
2428 and value. A preference setting can be continued on subsequent
2429 lines by indenting the continuation lines with white space. A #
2430 character starts a comment that runs to the end of the line:
2431
2432 # Vertical scrollbars should be on right side?
2433 # TRUE or FALSE (case-insensitive).
2434 gui.scrollbar_on_right: TRUE
2435
2436 The global preferences file is looked for in the wireshark
2437 directory under the share subdirectory of the main installation
2438 directory (for example, /usr/local/share/wireshark/preferences) on
2439 UNIX-compatible systems, and in the main installation directory
2440 (for example, C:\Program Files\Wireshark\preferences) on Windows
2441 systems.
2442
2443 The personal preferences file is looked for in
2444 $XDG_CONFIG_HOME/wireshark/preferences (or, if
2445 $XDG_CONFIG_HOME/wireshark does not exist while $HOME/.wireshark is
2446 present, $HOME/.wireshark/preferences) on UNIX-compatible systems
2447 and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn’t
2448 defined, %USERPROFILE%\Application Data\Wireshark\preferences) on
2449 Windows systems.
2450
2451 Note: Whenever the preferences are saved by using the Save button
2452 in the Edit:Preferences dialog box, your personal preferences file
2453 will be overwritten with the new settings, destroying any comments
2454 and unknown/obsolete settings that were in the file.
2455
2456 Recent
2457
2458 The recent file contains personal settings (mostly GUI related)
2459 such as the current Wireshark window size. The file is saved at
2460 program exit and read in at program start automatically. Note: The
2461 command line flag -o may be used to override settings from this
2462 file.
2463
2464 The settings in this file have the same format as in the
2465 preferences files, and the same directory as for the personal
2466 preferences file is used.
2467
2468 Note: Whenever Wireshark is closed, your recent file will be
2469 overwritten with the new settings, destroying any comments and
2470 unknown/obsolete settings that were in the file.
2471
2472 Disabled (Enabled) Protocols
2473
2474 The disabled_protos files contain system-wide and personal lists of
2475 protocols that have been disabled, so that their dissectors are
2476 never called. The files contain protocol names, one per line, where
2477 the protocol name is the same name that would be used in a display
2478 filter for the protocol:
2479
2480 http
2481 tcp # a comment
2482
2483 If a protocol is listed in the global disabled_protos file, it is
2484 not displayed in the Analyze:Enabled Protocols dialog box, and so
2485 cannot be enabled by the user.
2486
2487 The global disabled_protos file uses the same directory as the
2488 global preferences file.
2489
2490 The personal disabled_protos file uses the same directory as the
2491 personal preferences file.
2492
2493 Note: Whenever the disabled protocols list is saved by using the
2494 Save button in the Analyze:Enabled Protocols dialog box, your
2495 personal disabled protocols file will be overwritten with the new
2496 settings, destroying any comments that were in the file.
2497
2498 Name Resolution (hosts)
2499
2500 If the personal hosts file exists, it is used to resolve IPv4 and
2501 IPv6 addresses before any other attempts are made to resolve them.
2502 The file has the standard hosts file syntax; each line contains one
2503 IP address and name, separated by whitespace. The same directory as
2504 for the personal preferences file is used.
2505
2506 Capture filter name resolution is handled by libpcap on
2507 UNIX-compatible systems and WinPcap on Windows. As such the
2508 Wireshark personal hosts file will not be consulted for capture
2509 filter name resolution.
2510
2511 Name Resolution (subnets)
2512
2513 If an IPv4 address cannot be translated via name resolution (no
2514 exact match is found) then a partial match is attempted via the
2515 subnets file. Both the global subnets file and personal subnets
2516 files are used if they exist.
2517
2518 Each line of this file consists of an IPv4 address, a subnet mask
2519 length separated only by a / and a name separated by whitespace.
2520 While the address must be a full IPv4 address, any values beyond
2521 the mask length are subsequently ignored.
2522
2523 An example is:
2524
2525 # Comments must be prepended by the # sign! 192.168.0.0/24
2526 ws_test_network
2527
2528 A partially matched name will be printed as
2529 "subnet-name.remaining-address". For example, "192.168.0.1" under
2530 the subnet above would be printed as "ws_test_network.1"; if the
2531 mask length above had been 16 rather than 24, the printed address
2532 would be "ws_test_network.0.1".
2533
2534 Name Resolution (ethers)
2535
2536 The ethers files are consulted to correlate 6-byte hardware
2537 addresses to names. First the personal ethers file is tried and if
2538 an address is not found there the global ethers file is tried next.
2539
2540 Each line contains one hardware address and name, separated by
2541 whitespace. The digits of the hardware address are separated by
2542 colons (:), dashes (-) or periods (.). The same separator character
2543 must be used consistently in an address. The following three lines
2544 are valid lines of an ethers file:
2545
2546 ff:ff:ff:ff:ff:ff Broadcast
2547 c0-00-ff-ff-ff-ff TR_broadcast
2548 00.00.00.00.00.00 Zero_broadcast
2549
2550 The global ethers file is looked for in the /etc directory on
2551 UNIX-compatible systems, and in the main installation directory
2552 (for example, C:\Program Files\Wireshark) on Windows systems.
2553
2554 The personal ethers file is looked for in the same directory as the
2555 personal preferences file.
2556
2557 Capture filter name resolution is handled by libpcap on
2558 UNIX-compatible systems and WinPcap on Windows. As such the
2559 Wireshark personal ethers file will not be consulted for capture
2560 filter name resolution.
2561
2562 Name Resolution (manuf)
2563
2564 The manuf file is used to match the 3-byte vendor portion of a
2565 6-byte hardware address with the manufacturer’s name; it can also
2566 contain well-known MAC addresses and address ranges specified with
2567 a netmask. The format of the file is the same as the ethers files,
2568 except that entries such as:
2569
2570 00:00:0C Cisco
2571
2572 can be provided, with the 3-byte OUI and the name for a vendor, and
2573 entries such as:
2574
2575 00-00-0C-07-AC/40 All-HSRP-routers
2576
2577 can be specified, with a MAC address and a mask indicating how many
2578 bits of the address must match. The above entry, for example, has
2579 40 significant bits, or 5 bytes, and would match addresses from
2580 00-00-0C-07-AC-00 through 00-00-0C-07-AC-FF. The mask need not be a
2581 multiple of 8.
2582
2583 The manuf file is looked for in the same directory as the global
2584 preferences file.
2585
2586 Name Resolution (services)
2587
2588 The services file is used to translate port numbers into names.
2589 Both the global services file and personal services files are used
2590 if they exist.
2591
2592 The file has the standard services file syntax; each line contains
2593 one (service) name and one transport identifier separated by white
2594 space. The transport identifier includes one port number and one
2595 transport protocol name (typically tcp, udp, or sctp) separated by
2596 a /.
2597
2598 An example is:
2599
2600 mydns 5045/udp # My own Domain Name Server mydns
2601 5045/tcp # My own Domain Name Server
2602
2603 Name Resolution (ipxnets)
2604
2605 The ipxnets files are used to correlate 4-byte IPX network numbers
2606 to names. First the global ipxnets file is tried and if that
2607 address is not found there the personal one is tried next.
2608
2609 The format is the same as the ethers file, except that each address
2610 is four bytes instead of six. Additionally, the address can be
2611 represented as a single hexadecimal number, as is more common in
2612 the IPX world, rather than four hex octets. For example, these four
2613 lines are valid lines of an ipxnets file:
2614
2615 C0.A8.2C.00 HR
2616 c0-a8-1c-00 CEO
2617 00:00:BE:EF IT_Server1
2618 110f FileServer3
2619
2620 The global ipxnets file is looked for in the /etc directory on
2621 UNIX-compatible systems, and in the main installation directory
2622 (for example, C:\Program Files\Wireshark) on Windows systems.
2623
2624 The personal ipxnets file is looked for in the same directory as
2625 the personal preferences file.
2626
2627 Capture Filters
2628
2629 The cfilters files contain system-wide and personal capture
2630 filters. Each line contains one filter, starting with the string
2631 displayed in the dialog box in quotation marks, followed by the
2632 filter string itself:
2633
2634 "HTTP" port 80
2635 "DCERPC" port 135
2636
2637 The global cfilters file uses the same directory as the global
2638 preferences file.
2639
2640 The personal cfilters file uses the same directory as the personal
2641 preferences file. It is written through the Capture:Capture Filters
2642 dialog.
2643
2644 If the global cfilters file exists, it is used only if the personal
2645 cfilters file does not exist; global and personal capture filters
2646 are not merged.
2647
2648 Display Filters
2649
2650 The dfilters files contain system-wide and personal display
2651 filters. Each line contains one filter, starting with the string
2652 displayed in the dialog box in quotation marks, followed by the
2653 filter string itself:
2654
2655 "HTTP" http
2656 "DCERPC" dcerpc
2657
2658 The global dfilters file uses the same directory as the global
2659 preferences file.
2660
2661 The personal dfilters file uses the same directory as the personal
2662 preferences file. It is written through the Analyze:Display Filters
2663 dialog.
2664
2665 If the global dfilters file exists, it is used only if the personal
2666 dfilters file does not exist; global and personal display filters
2667 are not merged.
2668
2669 Color Filters (Coloring Rules)
2670
2671 The colorfilters files contain system-wide and personal color
2672 filters. Each line contains one filter, starting with the string
2673 displayed in the dialog box, followed by the corresponding display
2674 filter. Then the background and foreground colors are appended:
2675
2676 # a comment
2677 @tcp@tcp@[59345,58980,65534][0,0,0]
2678 @udp@udp@[28834,57427,65533][0,0,0]
2679
2680 The global colorfilters file uses the same directory as the global
2681 preferences file.
2682
2683 The personal colorfilters file uses the same directory as the
2684 personal preferences file. It is written through the View:Coloring
2685 Rules dialog.
2686
2687 If the global colorfilters file exists, it is used only if the
2688 personal colorfilters file does not exist; global and personal
2689 color filters are not merged.
2690
2691 Plugins
2692
2693 See above in the description of the About:Plugins page.
2694
2696 WIRESHARK_CONFIG_DIR
2697
2698 This environment variable overrides the location of personal
2699 configuration files. It defaults to $XDG_CONFIG_HOME/wireshark (or
2700 $HOME/.wireshark if the former is missing while the latter exists).
2701 On Windows, %APPDATA%\Wireshark is used instead. Available since
2702 Wireshark 3.0.
2703
2704 WIRESHARK_DEBUG_WMEM_OVERRIDE
2705
2706 Setting this environment variable forces the wmem framework to use
2707 the specified allocator backend for all allocations, regardless of
2708 which backend is normally specified by the code. This is mainly
2709 useful to developers when testing or debugging. See README.wmem in
2710 the source distribution for details.
2711
2712 WIRESHARK_RUN_FROM_BUILD_DIRECTORY
2713
2714 This environment variable causes the plugins and other data files
2715 to be loaded from the build directory (where the program was
2716 compiled) rather than from the standard locations. It has no effect
2717 when the program in question is running with root (or setuid)
2718 permissions on *NIX.
2719
2720 WIRESHARK_DATA_DIR
2721
2722 This environment variable causes the various data files to be
2723 loaded from a directory other than the standard locations. It has
2724 no effect when the program in question is running with root (or
2725 setuid) permissions on *NIX.
2726
2727 ERF_RECORDS_TO_CHECK
2728
2729 This environment variable controls the number of ERF records
2730 checked when deciding if a file really is in the ERF format.
2731 Setting this environment variable a number higher than the default
2732 (20) would make false positives less likely.
2733
2734 IPFIX_RECORDS_TO_CHECK
2735
2736 This environment variable controls the number of IPFIX records
2737 checked when deciding if a file really is in the IPFIX format.
2738 Setting this environment variable a number higher than the default
2739 (20) would make false positives less likely.
2740
2741 WIRESHARK_ABORT_ON_DISSECTOR_BUG
2742
2743 If this environment variable is set, Wireshark will call abort(3)
2744 when a dissector bug is encountered. abort(3) will cause the
2745 program to exit abnormally; if you are running Wireshark in a
2746 debugger, it should halt in the debugger and allow inspection of
2747 the process, and, if you are not running it in a debugger, it will,
2748 on some OSes, assuming your environment is configured correctly,
2749 generate a core dump file. This can be useful to developers
2750 attempting to troubleshoot a problem with a protocol dissector.
2751
2752 WIRESHARK_ABORT_ON_TOO_MANY_ITEMS
2753
2754 If this environment variable is set, Wireshark will call abort(3)
2755 if a dissector tries to add too many items to a tree (generally
2756 this is an indication of the dissector not breaking out of a loop
2757 soon enough). abort(3) will cause the program to exit abnormally;
2758 if you are running Wireshark in a debugger, it should halt in the
2759 debugger and allow inspection of the process, and, if you are not
2760 running it in a debugger, it will, on some OSes, assuming your
2761 environment is configured correctly, generate a core dump file.
2762 This can be useful to developers attempting to troubleshoot a
2763 problem with a protocol dissector.
2764
2765 WIRESHARK_QUIT_AFTER_CAPTURE
2766
2767 Cause Wireshark to exit after the end of the capture session. This
2768 doesn’t automatically start a capture; you must still use -k to do
2769 that. You must also specify an autostop condition, e.g. -c or -a
2770 duration:.... This means that you will not be able to see the
2771 results of the capture after it stops; it’s primarily useful for
2772 testing.
2773
2774 WIRESHARK_LOG_LEVEL
2775
2776 This environment variable controls the verbosity of diagnostic
2777 messages to the console. From less verbose to most verbose levels
2778 can be critical, warning, message, info, debug or noisy. Levels
2779 above the current level are also active. Levels critical and error
2780 are always active.
2781
2782 WIRESHARK_LOG_FATAL
2783
2784 Sets the fatal log level. Fatal log levels cause the program to
2785 abort. This level can be set to Error, critical or warning. Error
2786 is always fatal and is the default.
2787
2788 WIRESHARK_LOG_DOMAINS
2789
2790 This environment variable selects which log domains are active. The
2791 filter is given as a case-insensitive comma separated list. If set
2792 only the included domains will be enabled. The default domain is
2793 always considered to be enabled. Domain filter lists can be
2794 preceded by '!' to invert the sense of the match.
2795
2796 WIRESHARK_LOG_DEBUG
2797
2798 List of domains with debug log level. This sets the level of the
2799 provided log domains and takes precedence over the active domains
2800 filter. If preceded by '!' this disables the debug level instead.
2801
2802 WIRESHARK_LOG_NOISY
2803
2804 Same as above but for noisy log level instead.
2805
2807 Wireshark would not be the powerful, featureful application it is
2808 without the generous contributions of hundreds of developers.
2809
2810 A complete list of authors can be found in the AUTHORS file in
2811 Wireshark’s source code repository and at
2812 https://www.wireshark.org/about.html#authors.
2813
2815 wireshark-filter(4), tshark(1), editcap(1), pcap(3), dumpcap(1),
2816 mergecap(1), text2pcap(1), pcap-filter(7) or tcpdump(8)
2817
2819 This is the manual page for Wireshark 4.0.8. The latest version of
2820 Wireshark can be found at https://www.wireshark.org.
2821
2822 HTML versions of the Wireshark project man pages are available at
2823 https://www.wireshark.org/docs/man-pages.
2824
2825
2826
2827 2023-08-31 WIRESHARK(1)